Download Lecture on Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
Document related concepts

Cryptanalysis wikipedia , lookup

Cryptography wikipedia , lookup

One-time pad wikipedia , lookup

Commitment scheme wikipedia , lookup

Digital signature wikipedia , lookup

Public-key cryptography wikipedia , lookup

History of cryptography wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Quantum key distribution wikipedia , lookup

Web of trust wikipedia , lookup

Certificate authority wikipedia , lookup

Diffie–Hellman key exchange wikipedia , lookup

Transcript 
Class on Security
Raghu
Current state of Security






Cracks appear all the
time
Band Aid solutions
Applications are not
designed properly
OS designs are not
good
Internet is a can of
worms
Hardware is secure
Applications
Operating
System
Hardware
Problems




Badly designed Libraries
Trojans exploit Buffer Overflow attack – read
exploits on MDAC
Most attacks originate on the Internet
How?
–
Social Engineering


Messenger
Mail
Problems Continued




Credit Card thefts are quite common
Passwords are stolen
Social Security is stolen
Why?
–
–
Shared secret
Is shared secret really a secret?

No
Solutions
 None!
–
Not really, none in the current set up
 So
what can be done?
Some sort of overhaul is required
– So what can we do to avoid shared
secret?
–
The first step



Public – Private Key encryption
You encrypt/decrypt using one key, and the
corresponding decryption/encryption
happens through the other key.
If encryption is done using public key,
decryption is done using private key, and vice
versa.
Public – private key contd




Your public Key is known to everyone.
Only you have the private key.
All authentication based on challenge response
Your private key is never exposed*
* Standard terms and conditions apply
Example of a Secure System

SSL – Secure Sockets Layer
–
–
–
Based on Public Private Key
Server’s Public key is stored at the client side
Data exchanged is encrypted with session key
SSL connection establishment




Client hello
Server hello
Client sends session key, password
Communication is encrypted using session
key
SSL

Can someone impersonate server?
–
As long as the client knows the public key of the
server - NO
SSL continued



SSL was designed even before the internet
was up.
SSL is well thought through. It is a nice
example of public – private key scheme that
works.
Public – Private key systems should replace
Shared Secret systems
Digital Certificates



Alice goes and asks Bob for a certificate.
Bob generates* a public – private key
pair and gives it to Alice.
Bob generates a document and places
on it the following
–
–
–
–
Alice’s Name/Info
Alice’s public Key
Bob’s Info which can be the Certificate
Signature
* Is this Completely Correct?
ALICE
Pub Key of Alice
Bob’s Info –
[certificate]
Signature
Signature??



Bob takes Alice’s Public key and finds its Hash
Then he encrypts the above value with his private
key
This is the signature
Bob’s Private Key
Kpriv[B]
Public Key
Kpub [A]
Hashing
Algorithm
H(Kpub[A])
RSA
Encryptor
Priv[B]{H(Kpub[A])}
So what is a signature

Your Identity

The certificate proves that you are indeed who you
claim you are.

So can I get a certificate in the name Ronaldo Luiz
Nazário de Lima
–
–
Yes
Then what is the point?
You are who you claim?



I claim to be a person, say Ronaldo for
instance.
I produce a certificate saying the holder of
this certificate is Ronaldo
Now If I do have the private key
corresponding to the public key on the
certificate, then I am indeed the person who
owns the certificate.
So where does that leave us







Suppose Alice wants to talk to the server Bob
How does Bob know if Alice is indeed Alice?
Digital Certificates helps Bob identify Alice
Suppose Bob trusts Trent
Alice has a certificate signed by Trent, which says –
this certificate belongs to Alice
Bob Sees the certificate and agrees that Alice is
indeed Alice.
Can Mallory steal the certificate and pose as Alice to
Bob?
Stolen Certificates?

We show our digital certificate everywhere
for authentication.

So can someone who has seen the
certificate not replicate it.
–
–
Sure, Yes.
So what good is a certificate
Challenge Response


This problem is solved by challenge
response.
Mallory has Alice’s certificate
–

Does she become Alice
Bob does a challenge response.
–
–
He sends a random number encrypted in the
public key on the certificate.
If Mallory produces the random number from the
encrypted value, great, impersonation achieved

Otherwise she is not the holder of the certificate.
So where can certificates be used


Authentication
If I have a certificate from ASU, I can get
authenticated using my certificate.
–
–


No ASU id required
No password required
If I have a certificate from my bank, I can log on to
the Bank’s website without a password.
Moreover, If I have a certificate from the government,
do I need to show my Social Security Number at
every step?
Recap

Shared Secrets are pretty much shared non secrets
–
–
Why? A password is entered on every computer that you
have to log on.
My Social Security # is in a number of offices.




–
Wherever I worked on campus
Division of Graduate Studies
Human Resources
Financial Aid Services
Great, so how many people know my secret?

I have lost count
Recap


We saw two protocols that work
Why do they work
–
–
They are NOT based on shared secrets
If we all shift to using the public private key
system, my private key will never be revealed*
*Blah, Blah Apply
Will tell the reason in a few slides
Fixing Bad designs

We saw how to fix the problem of
authentication using Public Private Key
systems

We saw how to get rid of shared secrets

What about credit cards?
–
That is another mess that can be cleaned
Fixing Credit Cards





Bob – card Provider
Alice – card holder
Bob provides a credit card based on Public –
private key
Alice signs the hash of a bill using the private
key
Bob decrypts the sign using Alice’s public key
Small Terms and Conditions


Private Key of a digital certificate is stored on a
computer
How secure is a computer
–

Not very secure
What can a Virus do?
–
Delete files, format system….,

–
Steal your Private Key.

–
No this is old hat
Your certificate is as good as nothing
It can install a spurious certificate
Viruses

How many trojans*/ viruses in the open
–
Probably thousands
* NOT USC Trojans
How is a computer made secure
Anti – Virus
 Firewall
 Anti Spyware
….
….
….
 So these software protect the Computer
 Now who protects these software?

Attacks on Anti viruses





Anti virus is a process
It can be easily identified
It can be killed
It can be patched on
Examples
–
–
–
SpamThru Trojan
Beast
Win32.Glieder.AF
So what am I doing


Trying to create an anti virus process that is
undetectable
A funky name coined for this project is
–

“The Undetectable Virus Detector”
Steganography principles
Related documents
Association for Molecular Pathology Certificate of
Association for Molecular Pathology Certificate of
Webinar - Association for Molecular Pathology
Webinar - Association for Molecular Pathology
Problem: Alice and Bob play the following number game. Alice
Problem: Alice and Bob play the following number game. Alice
2012 Prelim Paper
2012 Prelim Paper
Association for Molecular Pathology Certificate of Attendance
Association for Molecular Pathology Certificate of Attendance
Networking Support Certificate C25340B
Networking Support Certificate C25340B
Social Media Marketing Certificate
Social Media Marketing Certificate
Tutorial 3 Selected Answers Question 13
Tutorial 3 Selected Answers Question 13
HON152 – Physics of Time – Homework 2 This homework is due
HON152 – Physics of Time – Homework 2 This homework is due
Natural Resource Conservation and Management
Natural Resource Conservation and Management